The Scenario 


An employee working for the data controller left work early on Friday 28 June 
and went out into town before heading home on the train. 


On Sunday 30 June, the employee is preparing for the next day and he cannot 
locate his briefcase which contains his laptop and paper files. Assuming he left 
his briefcase at the office, he doesn’t report it to his manager. 


On Monday 1 July, the employee realises he did not leave his briefcase at the 
office and it is lost. He contacts lost property at the train station to check 
whether it has been handed in, with no luck. On Monday afternoon, the 
employee reports to his manager that the briefcase is missing. The employee 
informs his manager that he believes the laptop is encrypted and that the paper 
files are redacted. The manager reports the incident to the IT department who 
remotely wipe the laptop. 


On Wednesday 3 July, the IT department discovers that the employee was 
working on an old laptop which is not encrypted and the password is written on 
a post-it note contained within the briefcase. The employee also confirms that 
upon further investigation, the paper files were for an upcoming criminal trial 
and the personal identifiers had not been redacted, as he first believed. The 
personal data includes: 


- Names, contact details, witness statements, criminal convictions, health 
data, and data revealing racial or ethnic origin. 


The employee also has 20 more case files saved on his laptop, containing the 
personal data of over 100 data subjects. On Wednesday afternoon (3 July), the 
manager reports the incident to the DPO, who is out of the office until Monday (8 
July). 


Over the weekend, an individual publishes the case files online and sells a story 
to the press about a large organisation leaving a laptop containing sensitive 
material on a train. On Monday morning (8 July), the DPO receives a media 
enquiry regarding the incident. The DPO sets out to fully investigate the matter 
and speaks to the IT department, the employee and their manager. The DPO 
contacts the ICO at midday on Monday 8 July. 


